Password Cracking Speed »
How safe is your password? Using this handy list (via) you can get some idea. The list provides several classes of password-cracking solutions. I would suggest that the Class D level, which is described as a Fast PC, Dual Processor PC, is probably the minimum. Everything below this level is based on a Pentium 100, which is pretty slow hardware these days. While not everyone has a dual processor PC, it's not that uncommon. So let's use this as our baseline.
Using this as our guideline, a 6 character password using the 62 characters possible from upper- and lower-case letters and numbers will produce 57 billion possibilities, and according to this site, Class D hardware can exhaust every such possibility in just 1.5 hours. That's not long. Add common symbols to that mix (increasing the possible characters to 96) and you increase the combinations to 782 billion (for the same 6-character length), meaning the same hardware will take slightly longer to go through all iterations: 22 hours.
Increasing the length of your password makes it more difficult - an 8 character password drawn from the pool of 62 possible characters (letters and numbers) means that there are 218 trillion possibilities, which would require the same hardware a whopping 253 days to process. Meanwhile, using the 96 possible characters that include common symbols would take 23 years on that same hardware!
Keep in mind that any brute-force cracking method doesn't necessarily have to try every combination! All they have to do is find yours. So an 8 digit password that is something like 'aaaaaaaa' will be cracked relatively easily, and early in the cycle', but one that looks more like 'Z34dA9*s' will take longer before it is found. It's just the way things work. Also remember that the faster things get, the less time it takes to process those records - so if you don't change your passwords at all, you might want to start doing so. Phishing scams are only important if it isn't worth the time to brute force your account.
Comments (7)
Dont' they have to crack BOTH username AND password? I would think that substantially makes it harder to break in.
Posted by Ted on April 6, 2006 5:47 PM
Sure, that is true (except in some instances, like a few consumer electronic products, where there is no user name).
But if you consider that many services use the service name as the default user name, then you've already got the user name in many instances.
In other cases, determining the user name is as simple as looking at the part of the name prior to the '@' sign in an email address. Then you just have to work on the password.
Posted by Chad Everett on April 6, 2006 7:02 PM
It strikes me that where you set your username, a little cleverness in the username will greatly compound your security effectivenss. Of course most usernames are not case sensitive. But should application builders apply the same case sensitivity to user names as passwords, you could easily have a systems nearly impossible to crack.
Posted by Ted on April 6, 2006 7:42 PM
Just to beat a dead horse, it occurred to me that anyone trying to crach a password would have to assume the user had a long one with all the different characters whether that was true or not.
I would contend that special characters likely don't make your password anymore secure as the cracker doesn't know whether you're using them or not. In that case password lenght would be the greatest deterent to password craching. A twenty character password would like be virtually impossible to crach.
Posted by Ted on April 7, 2006 8:55 AM
Sure. If you don't know the password, then the password there are essentially two approaches. The first is what is commonly referred to as a 'dictionary' attack, in which case a dictionary file is used, and all common words (including common names, and even common names with varying number of digits appended (such as ted123) are tried as passwords.
Assuming you have followed basic good password guidelines and not used standard words, then you should be relatively safe from such an approach, and even using just lowercase letters and making a long password will keep you safer than a short password, because the attacker will be forced into a brute force method.
In this approach, they start with 'a', then go to 'aa', then 'aaa', and so on. Most common systems these days will - or should - provide systems such as captchas or automated utilities to shut down the account after a certain number of invalid attempts, at least for a short while, meaning that the attacker cannot simply throw thousands of attempts at it. But that's not always the case.
In any event, looking at the same chart, we see that a 12 character password composed of only lower case alpha characters offers some 95 quadrillion combinations. Using the Class D hardware mentioned earlier, that actually may be safer than an 8 character password of mixed upper and lower case alpha, numbers and special characters (potential cracking timeframe of 302 years vs 23 years).
Of course, if you compared an 8 character password vs. an 8 character password, you're talking just 348 minutes, or slightly less than 6 hours, to run every single possibility for the lowercase alphabet only password past the hardware.
Just like with any other protection, be it for your car or your home - if someone wants it badly enough, they'll likely find a way to get it. And even if you use the most comprehensive password mechanism available, that's not to say they'll approach it in sequential order, and they might get it on the first try. But it gives you more options.
Posted by Chad Everett on April 10, 2006 9:14 AM
I am trying to figure out how to crack UN and PW. The UN are standard FUB123456 (FUB with 6 digits) and the PW is standard 8 digits. Is there a program out there that will allow me to enter previous codes and try to make matches?
Posted by Aaron Ledlow on August 16, 2006 10:33 PM
I use it now
Posted by Boris on February 24, 2007 12:26 AM